From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Tom Herbert <tom@quantonium.net>,
David Lebrun <dlebrun@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.14 10/43] ipv6: sr: fix NULL pointer dereference when setting encap source address
Date: Thu, 29 Mar 2018 20:00:05 +0200 [thread overview]
Message-ID: <20180329175731.128620506@linuxfoundation.org> (raw)
In-Reply-To: <20180329175730.190353692@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Lebrun <dlebrun@google.com>
[ Upstream commit 8936ef7604c11b5d701580d779e0f5684abc7b68 ]
When using seg6 in encap mode, we call ipv6_dev_get_saddr() to set the
source address of the outer IPv6 header, in case none was specified.
Using skb->dev can lead to BUG() when it is in an inconsistent state.
This patch uses the net_device attached to the skb's dst instead.
[940807.667429] BUG: unable to handle kernel NULL pointer dereference at 000000000000047c
[940807.762427] IP: ipv6_dev_get_saddr+0x8b/0x1d0
[940807.815725] PGD 0 P4D 0
[940807.847173] Oops: 0000 [#1] SMP PTI
[940807.890073] Modules linked in:
[940807.927765] CPU: 6 PID: 0 Comm: swapper/6 Tainted: G W 4.16.0-rc1-seg6bpf+ #2
[940808.028988] Hardware name: HP ProLiant DL120 G6/ProLiant DL120 G6, BIOS O26 09/06/2010
[940808.128128] RIP: 0010:ipv6_dev_get_saddr+0x8b/0x1d0
[940808.187667] RSP: 0018:ffff88043fd836b0 EFLAGS: 00010206
[940808.251366] RAX: 0000000000000005 RBX: ffff88042cb1c860 RCX: 00000000000000fe
[940808.338025] RDX: 00000000000002c0 RSI: ffff88042cb1c860 RDI: 0000000000004500
[940808.424683] RBP: ffff88043fd83740 R08: 0000000000000000 R09: ffffffffffffffff
[940808.511342] R10: 0000000000000040 R11: 0000000000000000 R12: ffff88042cb1c850
[940808.598012] R13: ffffffff8208e380 R14: ffff88042ac8da00 R15: 0000000000000002
[940808.684675] FS: 0000000000000000(0000) GS:ffff88043fd80000(0000) knlGS:0000000000000000
[940808.783036] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[940808.852975] CR2: 000000000000047c CR3: 00000004255fe000 CR4: 00000000000006e0
[940808.939634] Call Trace:
[940808.970041] <IRQ>
[940808.995250] ? ip6t_do_table+0x265/0x640
[940809.043341] seg6_do_srh_encap+0x28f/0x300
[940809.093516] ? seg6_do_srh+0x1a0/0x210
[940809.139528] seg6_do_srh+0x1a0/0x210
[940809.183462] seg6_output+0x28/0x1e0
[940809.226358] lwtunnel_output+0x3f/0x70
[940809.272370] ip6_xmit+0x2b8/0x530
[940809.313185] ? ac6_proc_exit+0x20/0x20
[940809.359197] inet6_csk_xmit+0x7d/0xc0
[940809.404173] tcp_transmit_skb+0x548/0x9a0
[940809.453304] __tcp_retransmit_skb+0x1a8/0x7a0
[940809.506603] ? ip6_default_advmss+0x40/0x40
[940809.557824] ? tcp_current_mss+0x24/0x90
[940809.605925] tcp_retransmit_skb+0xd/0x80
[940809.654016] tcp_xmit_retransmit_queue.part.17+0xf9/0x210
[940809.719797] tcp_ack+0xa47/0x1110
[940809.760612] tcp_rcv_established+0x13c/0x570
[940809.812865] tcp_v6_do_rcv+0x151/0x3d0
[940809.858879] tcp_v6_rcv+0xa5c/0xb10
[940809.901770] ? seg6_output+0xdd/0x1e0
[940809.946745] ip6_input_finish+0xbb/0x460
[940809.994837] ip6_input+0x74/0x80
[940810.034612] ? ip6_rcv_finish+0xb0/0xb0
[940810.081663] ipv6_rcv+0x31c/0x4c0
...
Fixes: 6c8702c60b886 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels")
Reported-by: Tom Herbert <tom@quantonium.net>
Signed-off-by: David Lebrun <dlebrun@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/seg6_iptunnel.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/net/ipv6/seg6_iptunnel.c
+++ b/net/ipv6/seg6_iptunnel.c
@@ -93,7 +93,8 @@ static void set_tun_src(struct net *net,
/* encapsulate an IPv6 packet within an outer IPv6 header with a given SRH */
int seg6_do_srh_encap(struct sk_buff *skb, struct ipv6_sr_hdr *osrh, int proto)
{
- struct net *net = dev_net(skb_dst(skb)->dev);
+ struct dst_entry *dst = skb_dst(skb);
+ struct net *net = dev_net(dst->dev);
struct ipv6hdr *hdr, *inner_hdr;
struct ipv6_sr_hdr *isrh;
int hdrlen, tot_len, err;
@@ -134,7 +135,7 @@ int seg6_do_srh_encap(struct sk_buff *sk
isrh->nexthdr = proto;
hdr->daddr = isrh->segments[isrh->first_segment];
- set_tun_src(net, skb->dev, &hdr->daddr, &hdr->saddr);
+ set_tun_src(net, ip6_dst_idev(dst)->dev, &hdr->daddr, &hdr->saddr);
#ifdef CONFIG_IPV6_SEG6_HMAC
if (sr_has_hmac(isrh)) {
next prev parent reply other threads:[~2018-03-29 18:00 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-29 17:59 [PATCH 4.14 00/43] 4.14.32-stable review Greg Kroah-Hartman
2018-03-29 17:59 ` [PATCH 4.14 01/43] tcp: reset sk_send_head in tcp_write_queue_purge Greg Kroah-Hartman
2018-03-29 17:59 ` [PATCH 4.14 02/43] tcp: purge write queue upon aborting the connection Greg Kroah-Hartman
2018-03-29 17:59 ` [PATCH 4.14 03/43] qed: Fix non TCP packets should be dropped on iWARP ll2 connection Greg Kroah-Hartman
2018-03-29 17:59 ` [PATCH 4.14 04/43] sysfs: symlink: export sysfs_create_link_nowarn() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 05/43] net: phy: relax error checking when creating sysfs link netdev->phydev Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 06/43] devlink: Remove redundant free on error path Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 07/43] macvlan: filter out unsupported feature flags Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 08/43] net: ipv6: keep sk status consistent after datagram connect failure Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 09/43] ipv6: old_dport should be a __be16 in __ip6_datagram_connect() Greg Kroah-Hartman
2018-03-29 18:00 ` Greg Kroah-Hartman [this message]
2018-03-29 18:00 ` [PATCH 4.14 11/43] ipv6: sr: fix scheduling in RCU when creating seg6 lwtunnel state Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 12/43] mlxsw: spectrum_buffers: Set a minimum quota for CPU port traffic Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 13/43] net: phy: Tell caller result of phy_change() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 14/43] net sched actions: return explicit error when tunnel_key mode is not specified Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 15/43] ppp: avoid loop in xmit recursion detection code Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 16/43] rhashtable: Fix rhlist duplicates insertion Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 17/43] kcm: lock lower socket in kcm_attach Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 18/43] sch_netem: fix skb leak in netem_enqueue() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 19/43] ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 20/43] net: use skb_to_full_sk() in skb_update_prio() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 21/43] net: Fix hlist corruptions in inet_evict_bucket() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 22/43] dccp: check sk for closed state in dccp_sendmsg() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 23/43] ipv6: fix access to non-linear packet in ndisc_fill_redirect_hdr_option() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 24/43] l2tp: do not accept arbitrary sockets Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 25/43] net: ethernet: arc: Fix a potential memory leak if an optional regulator is deferred Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 26/43] net: ethernet: ti: cpsw: add check for in-band mode setting with RGMII PHY interface Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 27/43] net: fec: Fix unbalanced PM runtime calls Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 28/43] net/iucv: Free memory obtained by kzalloc Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 29/43] netlink: avoid a double skb free in genlmsg_mcast() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 30/43] net: Only honor ifindex in IP_PKTINFO if non-0 Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 31/43] net: systemport: Rewrite __bcm_sysport_tx_reclaim() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 32/43] qede: Fix qedr link update Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 33/43] skbuff: Fix not waking applications when errors are enqueued Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 34/43] team: Fix double free in error path Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 35/43] soc/fsl/qbman: fix issue in qman_delete_cgr_safe() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 36/43] dpaa_eth: fix error in dpaa_remove() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 37/43] dpaa_eth: remove duplicate initialization Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 38/43] dpaa_eth: increment the RX dropped counter when needed Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 39/43] dpaa_eth: remove duplicate increment of the tx_errors counter Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 40/43] s390/qeth: free netdevice when removing a card Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 41/43] s390/qeth: when thread completes, wake up all waiters Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 42/43] s390/qeth: lock read device while queueing next buffer Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 43/43] s390/qeth: on channel error, reject further cmd requests Greg Kroah-Hartman
2018-03-29 22:01 ` [PATCH 4.14 00/43] 4.14.32-stable review kernelci.org bot
2018-03-29 23:10 ` Shuah Khan
2018-03-30 15:02 ` Naresh Kamboju
2018-03-30 15:19 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180329175731.128620506@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=dlebrun@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tom@quantonium.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.